36 Million Android Devices Infected by ‘Judy’ Malware on Google Play

Its been just a couple of weeks the world came up from the devastating Ransomware attack, and now its been said by the security research firm Check Point that about 36.5 Million of Android devices are already infected by a malware called ‘Judy’. The cartoon character associated with games like Chef Judy: Picnic Lunch Maker and Fashion Judy: Magic Girl Style, Judy, is probably the largest spread malware on Google Play today.

This Judy Malware is basically an auto-clicking adware that clicks the Google Ads on its own which in return pays the malware creator. Surprisingly it is found in almost 40 Apps which are developed by a proper Korean organization named Kiniwini which is published on Google Play as ENISTUDIO Corp. The report from Check Point has also pointed towards other developers too who’s apps have been found with Judy.

All these apps have been downloaded from 4.5 Million to 18.5 Million times. Judy automates the infected devices to generate huge number of fraudulent clicks on Google Ads. And that generates millions of dollars to the Judy Creators. Most of these games (and from other developers) were on Google Play since years, but Judy has been updated recently, since March 2017.

Now wondering how did they not get detected in Google Bouncers and got Published on PlayStore?

Here is how Check Point explains the same:

To bypass Bouncer, Google Play’s protection, the hackers create a seemingly benign bridgehead app, meant to establish connection to the victim’s device, and insert it into the app store. Once a user downloads a malicious app, it silently registers receivers which establish a connection with the C&C server. The server replies with the actual malicious payload, which includes JavaScript code, a user-agent string and URLs controlled by the malware author. The malware opens the URLs using the user agent that imitates a PC browser in a hidden webpage and receives a redirection to another website. Once the targeted website is launched, the malware uses the JavaScript code to locate and click on banners from the Google ads infrastructure.

Upon clicking the ads, the malware author receives payment from the website developer, which pays for the illegitimate clicks and traffic. The JavaScript code locates the targeted ads by searching for iframes which contain ads from Google ads infrastructure. The fraudulent clicks generate a large revenue for the perpetrators, especially since the malware reached a presumably wide spread.

Now the question is how can we confirm if our Android device is Infected by Judy or not? Well, officially there’s no tool to check Judy yet, but you can run any of your Antivirus program to scan the device. Now sure those will be helpful, but a chance until we get some proper tool for the same.